Re: [Haskell-cafe] [Security] Put haskell.org on https

28 Oct 2012


      On Sun, Oct 28, 2012 at 03:53:04PM +0100, Petr P wrote:
...
2012/10/28 Iustin Pop :
...
On Sun, Oct 28, 2012 at 01:38:46PM +0100, Petr P wrote:
...
does cabal need to do any authenticated stuff? For downloading
packages I think HTTP is perfectly fine. So we could have HTTP for
cabal download only and HTTPS for everything else.
Kindly disagree here. Ensuring that packages are downloaded
safely/correctly without MITM attacks is also important. Even if as an
option.
Good point. But if cabal+https is a problem, this could be solved by
other means too, for example by signing the packages.
Well, I agree, but then the same could be applied on upload too, like
Debian does - instead of user+pw, register a GPG key.

iustin